[00:00.000 --> 00:04.680]  Okay, welcome to our talk, Evil Genius, Why You Shouldn't Trust That Keyboard,
[00:04.680 --> 00:08.960]  by Farid Perez and Mauro Eldridge from DC5411.
[00:09.900 --> 00:16.420]  Before we start, let's make a brief introduction on this talk and on ourselves, the speakers.
[00:17.320 --> 00:22.420]  I am Mauro Eldridge, I'm an Argentine hacker and I'm the founder of DC5411.
[00:22.780 --> 00:28.820]  I work as a cybersecurity architect and I was a speaker the last years at DEFCON Las Vegas,
[00:28.820 --> 00:35.280]  Siberia, Roadsec Brazil, Dragonjar Colombia, POSCON Iran and the Texas Cyber Summit,
[00:35.280 --> 00:43.680]  among other conferences. Thank you, Mauro. Hello everyone,
[00:43.680 --> 00:49.660]  my name is Farid Perez Saez, I am a Colombia hacker assisting in communication.
[00:49.760 --> 00:59.380]  I work as a professor at the University of La Guajira and I am a member of DC5411 group.
[00:59.380 --> 01:06.220]  Also, being a speaker at Dragonjar Colombia, I'm now a DEFCON in this village.
[01:07.080 --> 01:12.540]  The objective of this talk is to explain bad USB attacks in a different way,
[01:12.540 --> 01:16.080]  combining hardware hacking, human hacking and social engineering.
[01:16.600 --> 01:21.480]  In this case, we will explain this type of attack using one of our evil creations,
[01:21.640 --> 01:25.940]  a tampered keyboard, which acts as a remote keylogger.
[01:26.800 --> 01:33.260]  As you can see in this photograph, it seems to be a classic keyboard, a normal cheap keyboard
[01:33.260 --> 01:45.020]  without any suspicious. But well, you may be wrong. It looks pretty normal.
[01:46.300 --> 01:52.680]  This talk is divided into two chapters, the social engineering one, where we try to create
[01:52.860 --> 01:59.800]  a plausible alibi and the necessary conditions for our attack to be effective, and the hardware
[01:59.800 --> 02:06.240]  hacking one, where we explain the mechanics to build a bad USB with cheap ports and how we use
[02:06.240 --> 02:15.960]  this bad USB for exfiltration of data. Just a little disclaimer, the speakers have
[02:17.180 --> 02:22.660]  full permission from affected parties to conduct this experiment in an authorized manner.
[02:22.680 --> 02:32.160]  This is a complex reptilian exercise, and the authors weren't involved directly or indirectly in any illegal activity.
[02:33.260 --> 02:39.860]  Let's start with the first, the social engineering. The point of the experiment was to infect a user
[02:39.860 --> 02:48.220]  without any direct interaction, using only the bad USB keyboard, but without being able to touch it,
[02:48.220 --> 02:55.300]  even to connect it. So we had to rely on social engineering or human hacking to get someone else
[02:55.300 --> 03:04.080]  to do their job on our behalf. This is what we had so far. Our victim, an educational
[03:04.980 --> 03:11.340]  institution, had no physical access to the place or help from the inside. They only had an open
[03:11.340 --> 03:17.520]  guest Wi-Fi connection, which we were not allowed to mess with, and it was segregated from the main
[03:17.520 --> 03:27.080]  network. So, at first, it might not seem like a really valuable asset at first. And we had a modified
[03:27.080 --> 03:33.100]  keyboard with our bad USB in its original box, with its accessories and manuals and everything
[03:33.100 --> 03:45.230]  you expect to find in a brand new unboxed item, right? So let's try to simplify this equation.
[03:45.230 --> 03:54.050]  We had no physical access from the inside and an original box. We had to create an attack vector
[03:54.790 --> 04:03.710]  from these really pure assets. So what can we do with no physical access and a box?
[04:03.890 --> 04:13.150]  The obvious first thing that came to our mind was the fake postal service.
[04:13.490 --> 04:23.350]  We have a postal imposter. This was way out of our scope, so we wanted to do something
[04:24.110 --> 04:33.010]  similar but not so violent. So we came with this little strategy.
[04:36.050 --> 04:42.610]  Delivering an unsolicited keyboard could only be some strange and suspicious.
[04:42.610 --> 04:50.290]  You are not expecting an unsolicited keyboard any day of the week. So we had to improve our game
[04:50.290 --> 04:58.310]  and resort to helping the local industry by printing a few extra things for a small price.
[04:58.830 --> 05:02.370]  And these few extra things are the following.
[05:03.870 --> 05:12.490]  Note that we have censored the trademark, the brand, because the manufacturer is not
[05:12.490 --> 05:19.150]  linked in any way. It's not related to the stock or this experiment.
[05:20.770 --> 05:28.650]  So we had for a few dollars, we had stickers, a t-shirt, and a neatly packaged keyboard
[05:29.290 --> 05:36.770]  ready to be sent to the institution along with a simple letter. Absolutely nothing to suspect.
[05:37.350 --> 05:45.790]  Well, maybe. The package was sent via a well-known private courier app who confirmed its receipt.
[05:48.010 --> 05:52.810]  A few hours later, we were already quite concerned with the package market
[05:52.810 --> 06:01.410]  as received, but nothing happening. After a while, our keylogging data began to populate.
[06:01.750 --> 06:08.910]  Now you might question, you might ask yourself, how does this bad USB keyboard work?
[06:09.570 --> 06:16.310]  So, now my partner, Farid, the hardware hacker of the group, will explain you the magic behind this
[06:16.870 --> 06:25.570]  electronic tampering. Thank you, Mauro. Here we have the planned component used in this
[06:25.570 --> 06:33.530]  project, which if we want to do it ourselves, we must have a normal keyboard of the model
[06:33.530 --> 06:43.170]  most used in your country. The wireless network component for Arduino ESP8260 and Arduino Nano,
[06:43.350 --> 06:49.870]  a standard USB cable and command and control server, the Arduino programming interface,
[06:49.870 --> 07:01.830]  and above all, lots of patience. In this diagram, it is possible to observe the keyboard schematic.
[07:01.830 --> 07:14.250]  It depicts the operation from the moment the user inerts the keyboard's USB cable without
[07:14.870 --> 07:25.150]  generating that the keyboard has the Arduino Nano device with an ESP8260 wireless interface.
[07:25.150 --> 07:36.110]  For setting all the information entered to the keyboard to a C2 server, which will use PHP MySQL and PHP
[07:36.110 --> 07:47.490]  tools, where the hacker will be receiving all the information entered by our already tampered keyboard.
[07:48.930 --> 07:55.130]  All TPs are cheap and easy to conceal inside the device.
[07:55.610 --> 08:02.810]  This part does not add significant weight to the keyboard.
[08:03.190 --> 08:08.930]  There is no sign that could make the victim suspicious.
[08:11.070 --> 08:19.950]  In this image, you can see each component mentioned in the functional prototype of the attach.
[08:20.910 --> 08:28.870]  This image presents the POST method code to server C2.
[08:30.150 --> 08:44.680]  This image shows the C2 server connection code, or how to use USB model to steal data online.
[08:45.080 --> 08:51.580]  As you may already know, this bad USB has a command and control server,
[08:51.580 --> 09:01.660]  which is built upon a LAMP stack, Linux, Apache, MySQL, PHP and PHP MyAdmin,
[09:01.660 --> 09:05.420]  database and a simple table, as you may see now.
[09:06.240 --> 09:13.480]  You can see that there are at least 28 rows. These rows represent sessions. I'll take a
[09:13.480 --> 09:20.880]  moment to explain you what sessions are on this bad USB keyboard. Once the buffer of the keyboard
[09:20.880 --> 09:29.080]  stops receiving data for a certain amount of time, it closes the buffer and uploads its contents
[09:29.640 --> 09:38.020]  to the web server, this command and control server. So it has separated different inputs
[09:38.020 --> 09:47.040]  by sessions. Let's try to inspect some of these sessions. For example, here, session number 11
[09:47.040 --> 09:56.280]  is when the user attempts to access gmail.com, but instead of entering its credentials,
[09:57.340 --> 10:03.620]  the victim jumps into another task, let's say Microsoft Word, and starts typing a document
[10:03.620 --> 10:12.840]  about Torres Javier. Then he goes back to Gmail, enters his credentials, or hers credentials,
[10:12.840 --> 10:20.090]  and passwords. We have another example here of passwords.
[10:21.260 --> 10:25.860]  And then internal instructions. For example, on number 20 it says
[10:26.690 --> 10:37.620]  I have bought a rim of paper for the office. On session 21 it says I have made a Mercado Todo
[10:37.620 --> 10:47.910]  recharge for the office. And it continues, right? Here we can see on session 24 another password.
[10:47.910 --> 10:54.830]  Try to picture obtaining these passwords with other methods, for example with cracking.
[10:55.270 --> 11:05.490]  It won't be certainly impossible, but it will take you a longer time than simply using this bad USB.
[11:06.190 --> 11:11.910]  On session 25 we have our first case of personal identifiable information.
[11:12.470 --> 11:19.410]  As you can see behind the encoding error, it says Cédula Ciudadanía, which means,
[11:19.410 --> 11:27.330]  translated from Spanish, national ID, which is the equivalent for the SSN, the social security
[11:27.330 --> 11:35.470]  number in the USA. It's a number that identifies a citizen, so it is treated as private information.
[11:37.690 --> 11:46.910]  Then on session 22 we have the login from an online banking site. Obviously the credentials were there too.
[11:49.420 --> 11:56.720]  So far, you may ask yourself what you can do. Well, you can obtain credentials for any local
[11:56.720 --> 12:04.400]  or remote service, for local users or cloud services or different providers online.
[12:05.220 --> 12:11.300]  You can obtain private information about users, resources, documents and infrastructure.
[12:12.000 --> 12:17.600]  You can discover internal conversations or communications, as we have seen before.
[12:17.600 --> 12:25.640]  You can see internal orders, for example, or internal documents about daily basis tasks.
[12:26.840 --> 12:33.100]  You can use this keyboard as a pivot for new attacks, and in very specific scenarios,
[12:33.100 --> 12:39.500]  rare scenarios, an attacker could compromise an entire supply chain,
[12:39.500 --> 12:48.210]  replacing normal keyboards with infected ones. I know this may sound actually a little bit crazy
[12:48.210 --> 12:58.350]  or a little bit too rare or too unique, but some days ago counterfeit or fake Cisco switches were
[12:58.350 --> 13:08.090]  deployed in production. So a network engineer saw that his core switch was failing or acting clunky,
[13:08.890 --> 13:15.190]  tried to troubleshoot it and ended up finding that it was a counterfeit one.
[13:15.630 --> 13:21.210]  That's about counterfeit hardware. I want to offer you a small appendix with a brief
[13:21.210 --> 13:27.930]  explanation and comparison of fake hardware, and to speak about the possibility of using it
[13:27.930 --> 13:35.350]  for red teaming, aside from what everybody else is using it for, you know, shading.
[13:37.790 --> 13:45.630]  You might notice first case, it's the keyboard that we were talking about. This is our own prototype.
[13:46.310 --> 13:53.470]  You might find no substantial differences on the outside, no evidence of tampering, nothing
[13:53.470 --> 14:02.910]  really to worry about. And this is the original one, with a non-stock picture from an e-commerce
[14:02.910 --> 14:13.370]  site. As you see, there are no differences between them. But this tampering is not really limited to
[14:13.370 --> 14:21.170]  any kind of hardware. You can tamper anything you want. For example, let's take a look at this set
[14:21.170 --> 14:30.950]  of speakers that we have tampered ourselves, for another case study. These speakers might look,
[14:30.950 --> 14:37.430]  as the keyboard, really normal on the outside, nothing really weird about them. But once you
[14:37.430 --> 14:44.670]  open them, you find they are tampered. You find that they have another hardware pieces
[14:44.670 --> 14:50.690]  scattered around, which makes it really suspicious to a trained eye.
[14:51.590 --> 14:56.830]  Now let's take a look at a photograph of these original speakers.
[14:57.670 --> 15:02.410]  Again, a non-stock picture from an e-commerce site. They are recently unboxed.
[15:02.530 --> 15:08.270]  As you might see, there's nothing to worry about, nothing really strange or weird about them.
[15:09.490 --> 15:13.150]  But this is not only limited to small hardware.
[15:14.670 --> 15:21.610]  Even critical hardware like switches, in this case core switches from Cisco, can be tampered with.
[15:22.570 --> 15:33.130]  This is a very good comparison between an original Cisco switch board and two counterfeit ones.
[15:33.210 --> 15:41.410]  The source is F-Secure. As you can see, the one in the left, it's the original one. The second and
[15:41.410 --> 15:50.990]  third are counterfeit. Take a look at the second, on the lower half, it has the Cisco trademark
[15:52.110 --> 16:02.070]  printed on the board, while the third one not. So differences are subtle and can be really overlooked
[16:02.070 --> 16:10.690]  by an untrained eye. This is what's the dangerous part of this. It is very easy to be misled by this
[16:10.690 --> 16:19.410]  hardware. It doesn't end here, this is not something new as I said before. A user on Reddit a year ago
[16:19.410 --> 16:29.070]  posted about being a victim of counterfeit Cisco devices. Let's take a look at first
[16:29.770 --> 16:38.070]  at an original Cisco switch from panel and then a counterfeit one. The sources on these
[16:38.070 --> 16:46.130]  images are Reddit, the original post, and eBay. This is the original one.
[16:46.810 --> 16:56.090]  As you may see, this is what you expect to unbox from Cisco. And this is the counterfeit one.
[16:56.730 --> 17:04.270]  It's basically what you expect again to unbox when you buy a Cisco switch. So there are no really
[17:05.610 --> 17:12.970]  really big differences. Some of the most noted differences on counterfeits are the bright
[17:12.970 --> 17:22.470]  on the numbers of the ports. As you may see 1, 2, 11, 13, 12, and 14, 23, 24, etc.
[17:22.670 --> 17:29.810]  This is something that is most noted on the internet. The brightest of those numbers,
[17:29.810 --> 17:38.330]  nothing else from the front. And some people noted that the screws are different.
[17:38.750 --> 17:48.150]  So unless you open it, or unless you have something really really specific about it,
[17:48.150 --> 17:57.950]  you won't suspect. This is just to make you understand the dangers of counterfeit or fake
[17:57.950 --> 18:04.190]  hardware. And that are out there, there are people dedicated to faking this kind of hardware.
[18:04.390 --> 18:10.590]  Not only for a redeeming exercise like ourselves, but to make a profit from it. And it is really
[18:10.590 --> 18:17.810]  really dangerous to corporations, or to small companies, and to almost every institution out
[18:17.810 --> 18:26.730]  there. So before we close this talk, we would like to share a little demo with you about this
[18:26.730 --> 18:36.630]  keyboard and how it acts. So since this is a demo, we'll use two laptops and one of the infected keyboards.
[21:14.170 --> 21:19.850]  Time to say goodbye and jump to the conclusions, and obviously the questions and answers.
[21:21.430 --> 21:28.610]  Our conclusions are that you always have to be wary of any new device, whether USB or not.
[21:28.610 --> 21:37.550]  This may seem obvious, but anyone could be a victim. Be honest, would you have suspected
[21:38.290 --> 21:46.510]  of this keyboard if you just saw it lying around in a desktop or in your office? Probably not.
[21:47.750 --> 21:58.590]  And bear in mind that with a few dollars anyone can build or even buy a product of this type,
[21:58.590 --> 22:05.650]  in this case. It is never possible to use preventive measures against SBS.
[22:06.530 --> 22:11.450]  And always remember that the mousetrap works because the mouse doesn't quite understand
[22:11.450 --> 22:18.970]  why the cheese is free. So educate your users to do not pick things from strangers.
[22:21.810 --> 22:28.610]  You can get in touch with us at GitGov, Mauro Eldridge and DC5411, or on Twitter,
[22:28.610 --> 22:33.610]  you have our handlers here. We are always open to discuss about hardware hacking,
[22:33.610 --> 22:38.390]  social engineering and hacking in general, so we'll be more than happy to talk with you.
[22:39.050 --> 22:44.970]  If you have any questions, we'll gladly answer them in the chat. Thank you!
